Intel SGX2 Support Coming With Linux 6.0
Going back to the end of last year Intel engineers began posting SGX2 Linux kernel patches for this evolution of Software Guard Extensions that allows for enclave dynamic memory management. Over the past few months the SGX2 patches got into shape and are now ready for being mainlined with Linux 6.0, what would have otherwise been called Linux 5.20.
Intel Software Guard Extensions (SGX) is a CPU security feature for private memory regions "enclaves" that are inaccessible from the outside. SGX enclaves are encrypted and this functionality has been around since Skylake. Software Guard Extensions have received some criticism since their 2015 arrival, particularly with a number of vulnerabilities coming to light over the years like SGAxe, Plundervolt, LVI, and others. Intel deprecated SGX on the client side since 11th Gen Core processors but continues supporting it for cloud and server hardware. With Intel Ice Lake and Gemini Lake is SGX2 as a set of improvements to SGX enclaves allowing more dynamic control. Besides a supported processor, the BIOS must also support SGX/SGX2.
Intel's Dave Hansen on Wednesday submitted the x86/sgx updates for Linux 6.0. The main focus of this pull is on implementing SGX2 features. He commented with this 2.6k lines of new kernel code, "SGX2 ISA support which makes enclave memory management much more dynamic. For instance, enclaves can now change enclave page permissions on the fly."